Cybersecurity: When the Outsider Becomes an Insider

John Walsh is Director of Product Marketing for SSH Communications Security.

The story you are about to read is true. Only the names have been changed to protect the oblivious.

Joe is the CSO of Acme Enterprise. Arriving at his office a bit late one morning, he runs into Cathy from cryptography, who comments that their IT admin, Adam, has been hard at work since about 5 a.m. This seems odd, considering Adam is not known to be a morning person. Cathy says Adam requested access to the company’s latest build system, where they keep the code to a top-secret product that is about to launch. He also requested access to HR records and the customer payment information systems for maintenance purposes. His access credentials and keys were older, she says, but they still checked out, so she let him continue.

Joe heads for his office and sees Diana from Data Loss Prevention. She tells him that she’s surprised how hard Adam has been working this morning, transferring gigabytes of data around the network. Diana figures there must be a major update in the works, and Joe agrees that’s why Adam must have come in so early. Joe’s impressed with Adam’s initiative to work off-hours, and he asks what kind of data Adam’s been transferring.

Diana admits that she has no idea, because everything is encrypted for security reasons. Data Loss Prevention can’t see what kind of data is moved in and out of the system if it is encrypted. However, she tells Joe that Cathy from cryptography said his credentials checked out, so not to worry. Adam is a trustworthy employee.

While these assurances sound reasonable, something doesn’t sit well with Joe. He stops by the office of Paul, who’s in charge of Privileged Access Management, and asks if he’s interacted with Adam today. Paul tells him that, in fact, Adam worked around him by using an SSH Key pair. Joe comments that this seems like a breach of protocol, but Paul assures him that this type of thing happens all the time. Paul mumbles something about how he’s never bothered to check for new SSH keys after vaulting all the SSH keys on his first day of work; he supposes he could continuously discover SSH keys, but that seems like a lot of work…

With a growing sense of disquiet Joe finally gets to his office and fires up his laptop. His login fails; he realizes he’s forgotten his password again. As if on cue, his phone rings. It’s Adam, who is coughing and sniffling. He apologizes for calling so late in the work day, but—

Joe tells him not to worry about it because he’s called just in time to retrieve his password. Adam tells him he can help Joe but recommends that, going forward, he use the same password for everything; that way, he’ll never forget it. In fact, Adam has written his password in the clear on his computer screen at work so anyone can use his account to reset forgotten passwords when he is not in the office.

Suddenly, Joe’s uneasiness crystalizes into outright fear. “Wait a minute – you’re not in the office?” Adam confirms this, explaining that he called to say he is sick and won’t be in today. “If you’re not here, then who is touching all of our critical systems and moving massive amounts of encrypted data out of the network?”

Adam has no idea; he also has no idea how someone could have stolen the backdoor SSH key that bypasses PAM, which he keeps on his work computer – right next to his password.

Don’t Be Joe

For this story to have a different ending, Joe CSO must realize there is no perimeter anymore, and an outsider can easily become an insider once perimeter security is breached. Every day attackers find new ways to breach enterprise perimeter security through ransomware, malware or phishing through social engineering. A determined attacker can and will get in, so the security mechanisms you have in place to mitigate the damage will make the most difference.

What Joe and his team should have known:

Network environments must be continuously monitored for new SSH key deployments. Not doing so can render any PAM system useless.

Both internal and external networks cannot be trusted. All encrypted traffic needs to be inspected. Encryption renders any DLP, firewall or inspection useless.

Attackers can get in the network through a number of ways, but the best way to spread the attack is through the theft of credentials like SSH keys.

Using short-lived credentials is the most efficient way to prevent credential theft, eliminating the need for passwords or burdensome and intrusive PAM systems.

“Outsider Adam” could be anyone. Worse yet, he may have been there for some time, moving through and observing every aspect of Acme Enterprise’s network, waiting for the right time to make a move…possibly putting the company out of business. So don’t be like Joe; manage privileged access as though your business depends on it – because it does.

Opinions expressed in the article above do not necessarily reflect the opinions of Data Center Knowledge and Informa.